Release History

[NEW] Policy Scan Predicate Attestation: Publishes a detailed evaluation record alongside the Verification Summary, capturing per-policy results and evaluated policy snapshots for diagnostics and audit

[NEW] Dependency Scoring Policy: Scores dependency health using a 2-category SLO compliance model (vulnerability remediation and upgrade hygiene) with configurable baselines and achievement tiers

[NEW] MCP Tools for AI Agents: Introduces get-purl-profile, get-purl-dependencies, and get-purl-gate-detail tools enabling AI agents to query supply chain provenance without parsing raw attestation JSON

[NEW] Presigned URL Authentication: Supports HMAC-SHA256 presigned URLs for time-limited, credential-free access to package attestation data — ideal for CI/CD pipelines and artifact proxies

[IMPROVED] External API Resilience: Adds configurable retry with exponential backoff, concurrency limits, and graceful degradation for OSV and OSI API communication

[IMPROVED] Case-Insensitive Policy Scan Matching: Normalizes policy scan names to lowercase for consistent matching across verifiers

[NEW] Dashboard: Explore package provenance, policy gate results, and vulnerability details through a new server-rendered dashboard with release line filtering

[NEW] MCP Tools: Investigate package provenance interactively with three new PURL-focused MCP tools for profile discovery, dependency retrieval, and gate activity detail

[NEW] PURL Package Endpoint: Access package-level insights through a new HTML and JSON API resource endpoint

[NEW] Dependency Scoring Policy: Enforce minimum quality thresholds for dependencies with per-category scores and configurable weights

[NEW] Policy-Scan Packages Index: Query gate activity by package efficiently with a new package-first reverse index

[NEW] PolicyScanPredicate Attestation: Record policy evaluation results as a dedicated attestation type for downstream verification

[NEW] DependencyInsights Presigned URL: Retrieve DependencyInsights attestations securely through time-limited presigned URLs

[NEW] Attestation Flow Detection: Determine the flow-establishing policy scan automatically from Verification Summary attestations

[NEW] VERS Range Parsing: Interpret version ranges and infer release lines for precise dependency resolution

[NEW] External API Resilience: Improve reliability of OSV and OSI integrations with configurable retry and concurrency controls

[FIX] Attestation Retrieval: Return a proper 404 response instead of 500 when a requested attestation is not found in S3

[NEW] Documentation: Expand reference documentation with DependencyScoring policy configuration and resilient API properties

[NEW] Dependency Insights Attestation: Prioritize risk profiles for dependencies by aggregating security vulnerabilities with CVSS severity scores and license data

Enable downstream policy engines to calculate exact base, temporal, or environmental scores by passing the full vector string and type for vulnerabilities

[NEW] Dynamic Attestation Insights: Automatically enrich Policy Scan™ evaluations with live vulnerability and hygiene data resolved on-the-fly from static attestations

Ensure full traceability by automatically persisting insights to the source store and including them in the final Verification Summary

[NEW] Service Architecture: Retrieve dependency metadata efficiently through a new non-blocking "Two-Wave" parallel pipeline

[NEW] PublishRepositories Attestation: Track repository URLs and publication timestamps for artifacts to provide comprehensive provenance

[NEW] PublishRepositories Policy: Ensure artifacts are sourced from trusted repositories with automated policy enforcement

[NEW] API Error Reference: Standardize API error responses using RFC 7807 and provide a detailed reference guide for faster troubleshooting

[NEW] System Performance: Scale attestation generation with improved concurrency and reduced resource overhead via optimized build event processing

[NEW] Observability & Monitoring: Enhance visibility with unified HTTP client metrics to track success rates and latencies for Develocity and Artifactory connections

[NEW] External Integration Resilience: Improve reliability under unstable network conditions with configurable retry policies and per-instance token expiration for Develocity integrations

[NEW] Internal Architecture: Enhance robustness and extensibility for provenance data through a modularized publishing pipeline

[NEW] Dependency Updates: Maintain security and performance by updating internal dependencies to their latest versions

[NEW] Prometheus Metrics: Simplify monitoring integration by exposing Prometheus metrics on the management port (9090) at /actuator/prometheus

[NEW] VerificationSummary Policy: Evaluate artifacts based on Verification Summary Attestations (VSAs) with a new policy type

Enforce build gates and scan requirements by verifying that artifacts have passed specific verification processes

Prevent verifier impersonation with support for signature key binding

[NEW] SLSA Verification Summary Attestations: Provide cryptographically verifiable evidence of policy compliance with a full implementation of SLSA v1.2 Verification Summary attestations

[NEW] Policy Loading Improvements: Improve reliability and error reporting for YAML policy loading with better handling of document separators and edge cases

[NEW] Artifactory Integration: Improve traceability and reliability for Artifactory integrations with enhanced retry logic and improved URI generation

[NEW] API Documentation: Simplify integration with detailed documentation for fetching attestations by ID, including DSSE and in-toto payload formats

[NEW] Quick Start Guide: Onboard quickly with a restructured guide and new k3d deployment options

[NEW] Deterministic S3 Attestation Storage: Support centralized and deterministic storage by storing attestations in Amazon S3

[NEW] S3 Attestation Store Reader: Retrieve attestations directly from S3 for policy evaluation

[NEW] Fetch Attestation by ID: Retrieve specific attestations via a new API endpoint using their unique identifier

[NEW] AttestationsExist Policy: Ensure mandatory attestations are present with a new policy type

[NEW] Dependency Updates: Maintain system stability with core dependency updates

Initial release of Develocity Provenance Governor